-
Direct Shellcode Execution
- Injecting and executing shellcode directly in a target process.
-
Process Hollowing
- Creating a new process in a suspended state, replacing its code with shellcode, and resuming it.
-
DLL Injection
- Injecting a DLL containing shellcode into a target process.
-
Remote Thread Injection
- Creating a remote thread in a target process that executes shellcode.
-
Reflective DLL Injection
- Loading and executing a DLL directly from memory.
-
Heap Spraying
- Allocating a large amount of memory in a process and filling it with shellcode to increase the chances of execution.
-
Code Cavities
- Finding and exploiting unused code sections in an existing binary to inject shellcode.
-
Stack Pivoting
- Redirecting the stack pointer to controlled data that includes shellcode.
-
Atom Bombing
- Using the Windows atom table to store shellcode and execute it.
-
Thread Hijacking
- Hijacking an existing thread to execute shellcode.
-
Callback Functions
- Using Windows callback functions (e.g., Windows Hook, APC) to execute shellcode.
-
VBA Macro Injection
- Embedding shellcode in a VBA macro in Office documents.
-
Hardware Breakpoints
- Setting a hardware breakpoint to trigger execution of shellcode.
-
Registry-based Persistence
- Storing shellcode in the Windows registry and executing it via a registry-based mechanism.
-
Userland API Hooking
- Hooking userland APIs and redirecting execution flow to shellcode.
-
COM Hijacking
- Hijacking Component Object Model (COM) objects to execute shellcode.
-
Windows Management Instrumentation (WMI)
- Using WMI scripts or events to execute shellcode.
-
Transacted Hollowing
- Using Windows transactions to hollow out and replace code in a transacted file.
-
PowerShell
- Using PowerShell scripts to download and execute shellcode.
-
Abusing Signed Binaries
- Using legitimate signed binaries (Living off the Land Binaries) to load and execute shellcode.